Re: [Openvpn-users] TCP syn]

2021-02-24 Thread Marc SCHAEFER
On Wed, Feb 24, 2021 at 10:49:56PM +, tincanteksup wrote: > My idea (as daft as it is) would only serve one purpose: To hide a > listening TCP port. Because there would be no SYN-ACK from the server if > the SYN failed security checks. This is what port knocking does: unfirewall the OpenVPN

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread tincanteksup
Keeping up with the internet is hard: https://squeeze.isobar.com/2019/04/11/the-sad-story-of-tcp-fast-open/ I guess the bottom line is: Use UDP, if you are worried about TCP SYN to your server. ___ Openvpn-users mailing list Openvpn-users@lists.sour

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread tincanteksup
On 24/02/2021 22:30, David Sommerseth wrote: TFO has a bigger advantage in short-lived TCP sessions (like web browsers) where you open several independent TCP connections to fetch data in parallel and then close them down.  Here TFO will have an edge. Agreed. Now you might argue about the

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread David Sommerseth
On 24/02/2021 23:05, tincanteksup wrote: On 24/02/2021 21:28, tincanteksup wrote: On 24/02/2021 20:05, Marc SCHAEFER wrote: On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote: I wonder if IPv6 has any new features which can customise the initial Syn packet in any way ? Not to

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread tincanteksup
On 24/02/2021 21:28, tincanteksup wrote: On 24/02/2021 20:05, Marc SCHAEFER wrote: On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote: I wonder if IPv6 has any new features which can customise the initial Syn packet in any way ? Not to my knowledge. Why would you want to do th

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread tincanteksup
On 24/02/2021 20:05, Marc SCHAEFER wrote: On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote: which suggested to me that openvpn may have some vulnerability to TCP DDos. A Linux kernel can offer a few protections against DDoS, for example SYN cookies to avoid a memory exhaustion w

Re: [Openvpn-users] OpenVPN user session report

2021-02-24 Thread Dante F . B . Colò
Hi Jan,  i 'll take a look at this options also , could also add helpful information on the openvpn server log. Thanks. On 23/02/21 14:11, Jan Just Keijser wrote: Hi Dante, On 23/02/21 18:01, Dante F. B. Colò wrote: Hi everyone !! I'm looking for some better way to generate a report of us

Re: [Openvpn-users] TCP syn]

2021-02-24 Thread Marc SCHAEFER
On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote: > which suggested to me that openvpn may have some vulnerability to TCP DDos. A Linux kernel can offer a few protections against DDoS, for example SYN cookies to avoid a memory exhaustion with fake TCP connection openings. You may have

Re: [Openvpn-users] TCP syn

2021-02-24 Thread tincanteksup
Yep .. got it now, thanks! On 24/02/2021 19:39, Gert Doering wrote: Hi, On Wed, Feb 24, 2021 at 06:01:19PM +, tincanteksup wrote: today I discovered that a server using TCP responds to an initial Syn packet with an ack packet, even with --tls-auth key configured. I presume this is expect

Re: [Openvpn-users] TCP syn

2021-02-24 Thread Gert Doering
Hi, On Wed, Feb 24, 2021 at 06:01:19PM +, tincanteksup wrote: > today I discovered that a server using TCP responds to an initial Syn > packet with an ack packet, even with --tls-auth key configured. > > I presume this is expected and cannot be avoided when using TCP due to > initial IP req

Re: [Openvpn-users] TCP syn

2021-02-24 Thread tincanteksup
Hi Marc, thanks very much for the explanation. I do understand the process but I also find this in the server log: 2021-02-24 18:29:27 us=920500 TCP connection established with [AF_INET]127.0.0.1:42430 and this on the client: nc -v 127.0.0.1 34571 Connection to 127.0.0.1 34571 port [tcp/*] su

Re: [Openvpn-users] TCP syn

2021-02-24 Thread Marc SCHAEFER
On Wed, Feb 24, 2021 at 06:01:19PM +, tincanteksup wrote: > today I discovered that a server using TCP responds to an initial Syn packet > with an ack packet, This is standard TCP protocol (SYN, SYN ACK, ACK). It is executed in the kernel. Only after the client ACK is received by the server wi

[Openvpn-users] TCP syn

2021-02-24 Thread tincanteksup
Hi, today I discovered that a server using TCP responds to an initial Syn packet with an ack packet, even with --tls-auth key configured. I presume this is expected and cannot be avoided when using TCP due to initial IP requirements ? Thanks R

Re: [Openvpn-users] OpenVPN user session report

2021-02-24 Thread Dante F . B . Colò
Hi Gert I will try it , thanks . On 23/02/21 14:07, Gert Doering wrote: Hi, On Tue, Feb 23, 2021 at 02:01:54PM -0300, Dante F. B. Colò wrote: I'm looking for some better way to generate a report of users sessions only to get info when they start and end a session , currently i do it with a sh

[Openvpn-users] OpenVPN 2.5.1 released

2021-02-24 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows. Source code and Windows installers can be downloaded from our download page: Deb